To Err is Human, To Prepare is Good Business

By Peter Kelman, Esq.

This article appeared in substantially the same form in the Boston Law Tribune, April 30, 2001.

You would not deposit money in a bank that did not lock its vault. You would not bring a ring for repair to a jeweler that did not secure its premises. As consumers, we expect that merchants will take appropriate steps to safeguard our property. In the world of traditional retail, where we interact with merchants whose “sites” are stores, we feel capable of assessing the security of that which we can see and touch. Think of the assurance you feel walking into a bank lobby (assuming you are not doing an ATM transaction), to see behind rows of steel bars the foot-thick slab of lead that seals the safety vault. Security, thy name is mass.

But go from retail to e-tail and the picture changes. You can’t see and touch Internet structures and data base security algorithms. What is the on-line equivalent of a bank vault: a sturdy fire-wall, a robust privacy policy? Who is capable of judging whether such devices are sufficient or even real?

Apparently not even the owners of web sites. And therein lies the problem. What does it mean if a web site says its data is secure when in fact it is not? What liability arises if a web site does not “lock the door” to its data vault? For example, consider the condition discovered by David Ritchie, President of PetRock Technology, Inc., a Boston and New York technology consulting and software development firm. While modifying a client web site, PetRock discovered that the administrative password to the database had never been changed from the default password that came out of the box with the original database. If you identified yourself as “User” with a password of “Password”, you could have had full access to all data stored by the site. PetRock then randomly queried approximately 10,000 sites and discovered six other sites that had similarly failed to change administrative passwords from the default provided by the manufacturer.

No site wants to publicize it security failures, but some make the news. For example, in January, Travelocity.com, Inc. disclosed that it had exposed the names and email addresses of about 44,000 subscribers. The company stated that the file was “inadvertently posted” on its Web site and apologized to its customers. More recently, VeriSign discovered that it had compromised security of certain Microsoft products by improperly issuing digital certificates to an individual who impersonated a Microsoft employee. Computerworld’s Security Newsletter reported the incident in an article entitled “Human Error May be No. 1 Threat to Online Security.” Security experts agree that the most substantial risk to system integrity comes not from the attack of a malicious hacker, but from the failure of an enterprise to adequately protect against internal mistakes.

It is just a matter of time before information, improperly disclosed by a web site, facilitates the commission of cyber-crimes common in today’s information age, such as identity theft, misappropriation of credit information, or dissemination of private information, to name a few. It would be naïve to think that a letter from the offending site to its customers apologizing for the security lapse would redress all harms suffered by its subscribers. In today’s world, where there’s harm, there’s lawyers.

Liability could arise from any of several sources. For example, the Federal Trade Commission (“FTC”) maintains jurisdiction to investigate and fine businesses that commit unfair and deceptive trade practices. Most states, including Massachusetts, have analogous laws that entitle consumers to remedies (sometimes treble damages and attorney’s fees) when they have been harmed by such practices. If a web site posts a privacy policy that states that its data is secure, when in fact that is not the case, has the site engaged in an unfair and deceptive practice? The FTC is certainly keeping a close watch on sites where the de facto privacy policy is other than the posted privacy policy. Additionally, a site may find itself liable to its subscribers under a theory of breach of contract. Many sites incorporate a privacy policy into their subscribers’ terms of use agreement. If the site misrepresents its privacy policy, this could be deemed a breach of contract.

As a site owner, you can take steps to minimize exposure against such a breach of security. Security is as much about policies and procedures as it is about technology. The strongest lock in the world affords no protection if the night clerk leaves in the key. You may want to insure against such potential lapses.

Jim Stoller, an account executive with the Telamon insurance network, devotes a large part of his practice to insuring technology companies. He notes that many insurers have developed new policies to protect against cyber risks. The AIG insurance company has created a group of policies it calls “netAdvantage Suite” to protect against the perils of doing business on the Internet. Stoller believes that these new insurance products offer security to businesses because they adopt the language of the Internet and e-commerce to describe the risks covered, thereby reducing ambiguity as to what is covered and what is not. For example, it is not clear, under a traditional insurance policy, whether a disruption to business caused by a hacker’s onslaught would be an insurable peril.

Legally, you can do several things to minimize your exposure. First, if you have a user agreement with your customer, be sure it contains a limitation of liability clause. While not always enforceable, it creates a presumption in your favor. Second, review your site’s privacy policy. In fact, consider whether you even need a privacy policy. Currently, unless your site engages in specific activities, like financial and medical services, or does business with specific audiences, like children, a privacy policy is not required. It may be a requirement of the marketplace, but it is not a requirement by law. However if you do adopt a privacy policy, make sure you not only articulate it carefully, but also implement it thoroughly. With respect to privacy, what you do is more important than what you say. If you share information with other entities, make sure you understand what they will and will not do with your information. You have the power, if you negotiate, to restrict how your site’s data will be used. Lastly, on the Internet, nothing is etched in stone. Your privacy policy can change. Be very careful, however, as to the notice and participation mechanisms you provide your customers.

In the end, vigilance may be your best defense. Computer systems are becoming increasingly complicated. As interoperability and seamless communications become more widespread, the consequences of a security lapse magnify many-fold. It may be impossible to put your customer’s data in a bank-like vault on the Internet, but you would be wise to continuously monitor and test your security procedures. Make sure the programmers who design, develop and implement your security features understand the importance of their jobs; get their feedback on the effectiveness of your security measures. Accidents will happen and may be out of your control; but the consequences of accidents can be controlled by careful planning.